summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_lib.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/s3_lib.c2725
1 files changed, 0 insertions, 2725 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
deleted file mode 100644
index 624841a7a4..0000000000
--- a/src/lib/libssl/s3_lib.c
+++ /dev/null
@@ -1,2725 +0,0 @@
1/* $OpenBSD: s3_lib.c,v 1.228 2022/03/17 17:24:37 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <limits.h>
152#include <stdio.h>
153
154#include <openssl/bn.h>
155#include <openssl/curve25519.h>
156#include <openssl/dh.h>
157#include <openssl/md5.h>
158#include <openssl/objects.h>
159#include <openssl/opensslconf.h>
160
161#include "bytestring.h"
162#include "dtls_locl.h"
163#include "ssl_locl.h"
164#include "ssl_sigalgs.h"
165#include "ssl_tlsext.h"
166
167#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
168
169/*
170 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the
171 * fixed nonce length in algorithms2. It is the inverse of the
172 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro.
173 */
174#define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
175
176/* list of available SSLv3 ciphers (sorted by id) */
177const SSL_CIPHER ssl3_ciphers[] = {
178
179 /* The RSA ciphers */
180 /* Cipher 01 */
181 {
182 .valid = 1,
183 .name = SSL3_TXT_RSA_NULL_MD5,
184 .id = SSL3_CK_RSA_NULL_MD5,
185 .algorithm_mkey = SSL_kRSA,
186 .algorithm_auth = SSL_aRSA,
187 .algorithm_enc = SSL_eNULL,
188 .algorithm_mac = SSL_MD5,
189 .algorithm_ssl = SSL_SSLV3,
190 .algo_strength = SSL_STRONG_NONE,
191 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
192 .strength_bits = 0,
193 .alg_bits = 0,
194 },
195
196 /* Cipher 02 */
197 {
198 .valid = 1,
199 .name = SSL3_TXT_RSA_NULL_SHA,
200 .id = SSL3_CK_RSA_NULL_SHA,
201 .algorithm_mkey = SSL_kRSA,
202 .algorithm_auth = SSL_aRSA,
203 .algorithm_enc = SSL_eNULL,
204 .algorithm_mac = SSL_SHA1,
205 .algorithm_ssl = SSL_SSLV3,
206 .algo_strength = SSL_STRONG_NONE,
207 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
208 .strength_bits = 0,
209 .alg_bits = 0,
210 },
211
212 /* Cipher 04 */
213 {
214 .valid = 1,
215 .name = SSL3_TXT_RSA_RC4_128_MD5,
216 .id = SSL3_CK_RSA_RC4_128_MD5,
217 .algorithm_mkey = SSL_kRSA,
218 .algorithm_auth = SSL_aRSA,
219 .algorithm_enc = SSL_RC4,
220 .algorithm_mac = SSL_MD5,
221 .algorithm_ssl = SSL_SSLV3,
222 .algo_strength = SSL_LOW,
223 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
224 .strength_bits = 128,
225 .alg_bits = 128,
226 },
227
228 /* Cipher 05 */
229 {
230 .valid = 1,
231 .name = SSL3_TXT_RSA_RC4_128_SHA,
232 .id = SSL3_CK_RSA_RC4_128_SHA,
233 .algorithm_mkey = SSL_kRSA,
234 .algorithm_auth = SSL_aRSA,
235 .algorithm_enc = SSL_RC4,
236 .algorithm_mac = SSL_SHA1,
237 .algorithm_ssl = SSL_SSLV3,
238 .algo_strength = SSL_LOW,
239 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
240 .strength_bits = 128,
241 .alg_bits = 128,
242 },
243
244 /* Cipher 0A */
245 {
246 .valid = 1,
247 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
248 .id = SSL3_CK_RSA_DES_192_CBC3_SHA,
249 .algorithm_mkey = SSL_kRSA,
250 .algorithm_auth = SSL_aRSA,
251 .algorithm_enc = SSL_3DES,
252 .algorithm_mac = SSL_SHA1,
253 .algorithm_ssl = SSL_SSLV3,
254 .algo_strength = SSL_MEDIUM,
255 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256 .strength_bits = 112,
257 .alg_bits = 168,
258 },
259
260 /*
261 * Ephemeral DH (DHE) ciphers.
262 */
263
264 /* Cipher 16 */
265 {
266 .valid = 1,
267 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
268 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
269 .algorithm_mkey = SSL_kDHE,
270 .algorithm_auth = SSL_aRSA,
271 .algorithm_enc = SSL_3DES,
272 .algorithm_mac = SSL_SHA1,
273 .algorithm_ssl = SSL_SSLV3,
274 .algo_strength = SSL_MEDIUM,
275 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
276 .strength_bits = 112,
277 .alg_bits = 168,
278 },
279
280 /* Cipher 18 */
281 {
282 .valid = 1,
283 .name = SSL3_TXT_ADH_RC4_128_MD5,
284 .id = SSL3_CK_ADH_RC4_128_MD5,
285 .algorithm_mkey = SSL_kDHE,
286 .algorithm_auth = SSL_aNULL,
287 .algorithm_enc = SSL_RC4,
288 .algorithm_mac = SSL_MD5,
289 .algorithm_ssl = SSL_SSLV3,
290 .algo_strength = SSL_LOW,
291 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
292 .strength_bits = 128,
293 .alg_bits = 128,
294 },
295
296 /* Cipher 1B */
297 {
298 .valid = 1,
299 .name = SSL3_TXT_ADH_DES_192_CBC_SHA,
300 .id = SSL3_CK_ADH_DES_192_CBC_SHA,
301 .algorithm_mkey = SSL_kDHE,
302 .algorithm_auth = SSL_aNULL,
303 .algorithm_enc = SSL_3DES,
304 .algorithm_mac = SSL_SHA1,
305 .algorithm_ssl = SSL_SSLV3,
306 .algo_strength = SSL_MEDIUM,
307 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
308 .strength_bits = 112,
309 .alg_bits = 168,
310 },
311
312 /*
313 * AES ciphersuites.
314 */
315
316 /* Cipher 2F */
317 {
318 .valid = 1,
319 .name = TLS1_TXT_RSA_WITH_AES_128_SHA,
320 .id = TLS1_CK_RSA_WITH_AES_128_SHA,
321 .algorithm_mkey = SSL_kRSA,
322 .algorithm_auth = SSL_aRSA,
323 .algorithm_enc = SSL_AES128,
324 .algorithm_mac = SSL_SHA1,
325 .algorithm_ssl = SSL_TLSV1,
326 .algo_strength = SSL_HIGH,
327 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
328 .strength_bits = 128,
329 .alg_bits = 128,
330 },
331
332 /* Cipher 33 */
333 {
334 .valid = 1,
335 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
336 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
337 .algorithm_mkey = SSL_kDHE,
338 .algorithm_auth = SSL_aRSA,
339 .algorithm_enc = SSL_AES128,
340 .algorithm_mac = SSL_SHA1,
341 .algorithm_ssl = SSL_TLSV1,
342 .algo_strength = SSL_HIGH,
343 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
344 .strength_bits = 128,
345 .alg_bits = 128,
346 },
347
348 /* Cipher 34 */
349 {
350 .valid = 1,
351 .name = TLS1_TXT_ADH_WITH_AES_128_SHA,
352 .id = TLS1_CK_ADH_WITH_AES_128_SHA,
353 .algorithm_mkey = SSL_kDHE,
354 .algorithm_auth = SSL_aNULL,
355 .algorithm_enc = SSL_AES128,
356 .algorithm_mac = SSL_SHA1,
357 .algorithm_ssl = SSL_TLSV1,
358 .algo_strength = SSL_HIGH,
359 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
360 .strength_bits = 128,
361 .alg_bits = 128,
362 },
363
364 /* Cipher 35 */
365 {
366 .valid = 1,
367 .name = TLS1_TXT_RSA_WITH_AES_256_SHA,
368 .id = TLS1_CK_RSA_WITH_AES_256_SHA,
369 .algorithm_mkey = SSL_kRSA,
370 .algorithm_auth = SSL_aRSA,
371 .algorithm_enc = SSL_AES256,
372 .algorithm_mac = SSL_SHA1,
373 .algorithm_ssl = SSL_TLSV1,
374 .algo_strength = SSL_HIGH,
375 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
376 .strength_bits = 256,
377 .alg_bits = 256,
378 },
379
380 /* Cipher 39 */
381 {
382 .valid = 1,
383 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
384 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
385 .algorithm_mkey = SSL_kDHE,
386 .algorithm_auth = SSL_aRSA,
387 .algorithm_enc = SSL_AES256,
388 .algorithm_mac = SSL_SHA1,
389 .algorithm_ssl = SSL_TLSV1,
390 .algo_strength = SSL_HIGH,
391 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
392 .strength_bits = 256,
393 .alg_bits = 256,
394 },
395
396 /* Cipher 3A */
397 {
398 .valid = 1,
399 .name = TLS1_TXT_ADH_WITH_AES_256_SHA,
400 .id = TLS1_CK_ADH_WITH_AES_256_SHA,
401 .algorithm_mkey = SSL_kDHE,
402 .algorithm_auth = SSL_aNULL,
403 .algorithm_enc = SSL_AES256,
404 .algorithm_mac = SSL_SHA1,
405 .algorithm_ssl = SSL_TLSV1,
406 .algo_strength = SSL_HIGH,
407 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
408 .strength_bits = 256,
409 .alg_bits = 256,
410 },
411
412 /* TLS v1.2 ciphersuites */
413 /* Cipher 3B */
414 {
415 .valid = 1,
416 .name = TLS1_TXT_RSA_WITH_NULL_SHA256,
417 .id = TLS1_CK_RSA_WITH_NULL_SHA256,
418 .algorithm_mkey = SSL_kRSA,
419 .algorithm_auth = SSL_aRSA,
420 .algorithm_enc = SSL_eNULL,
421 .algorithm_mac = SSL_SHA256,
422 .algorithm_ssl = SSL_TLSV1_2,
423 .algo_strength = SSL_STRONG_NONE,
424 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
425 .strength_bits = 0,
426 .alg_bits = 0,
427 },
428
429 /* Cipher 3C */
430 {
431 .valid = 1,
432 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
433 .id = TLS1_CK_RSA_WITH_AES_128_SHA256,
434 .algorithm_mkey = SSL_kRSA,
435 .algorithm_auth = SSL_aRSA,
436 .algorithm_enc = SSL_AES128,
437 .algorithm_mac = SSL_SHA256,
438 .algorithm_ssl = SSL_TLSV1_2,
439 .algo_strength = SSL_HIGH,
440 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
441 .strength_bits = 128,
442 .alg_bits = 128,
443 },
444
445 /* Cipher 3D */
446 {
447 .valid = 1,
448 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
449 .id = TLS1_CK_RSA_WITH_AES_256_SHA256,
450 .algorithm_mkey = SSL_kRSA,
451 .algorithm_auth = SSL_aRSA,
452 .algorithm_enc = SSL_AES256,
453 .algorithm_mac = SSL_SHA256,
454 .algorithm_ssl = SSL_TLSV1_2,
455 .algo_strength = SSL_HIGH,
456 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
457 .strength_bits = 256,
458 .alg_bits = 256,
459 },
460
461#ifndef OPENSSL_NO_CAMELLIA
462 /* Camellia ciphersuites from RFC4132 (128-bit portion) */
463
464 /* Cipher 41 */
465 {
466 .valid = 1,
467 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
468 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
469 .algorithm_mkey = SSL_kRSA,
470 .algorithm_auth = SSL_aRSA,
471 .algorithm_enc = SSL_CAMELLIA128,
472 .algorithm_mac = SSL_SHA1,
473 .algorithm_ssl = SSL_TLSV1,
474 .algo_strength = SSL_HIGH,
475 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
476 .strength_bits = 128,
477 .alg_bits = 128,
478 },
479
480 /* Cipher 45 */
481 {
482 .valid = 1,
483 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
484 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
485 .algorithm_mkey = SSL_kDHE,
486 .algorithm_auth = SSL_aRSA,
487 .algorithm_enc = SSL_CAMELLIA128,
488 .algorithm_mac = SSL_SHA1,
489 .algorithm_ssl = SSL_TLSV1,
490 .algo_strength = SSL_HIGH,
491 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
492 .strength_bits = 128,
493 .alg_bits = 128,
494 },
495
496 /* Cipher 46 */
497 {
498 .valid = 1,
499 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
500 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
501 .algorithm_mkey = SSL_kDHE,
502 .algorithm_auth = SSL_aNULL,
503 .algorithm_enc = SSL_CAMELLIA128,
504 .algorithm_mac = SSL_SHA1,
505 .algorithm_ssl = SSL_TLSV1,
506 .algo_strength = SSL_HIGH,
507 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
508 .strength_bits = 128,
509 .alg_bits = 128,
510 },
511#endif /* OPENSSL_NO_CAMELLIA */
512
513 /* TLS v1.2 ciphersuites */
514 /* Cipher 67 */
515 {
516 .valid = 1,
517 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
518 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
519 .algorithm_mkey = SSL_kDHE,
520 .algorithm_auth = SSL_aRSA,
521 .algorithm_enc = SSL_AES128,
522 .algorithm_mac = SSL_SHA256,
523 .algorithm_ssl = SSL_TLSV1_2,
524 .algo_strength = SSL_HIGH,
525 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
526 .strength_bits = 128,
527 .alg_bits = 128,
528 },
529
530 /* Cipher 6B */
531 {
532 .valid = 1,
533 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
534 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
535 .algorithm_mkey = SSL_kDHE,
536 .algorithm_auth = SSL_aRSA,
537 .algorithm_enc = SSL_AES256,
538 .algorithm_mac = SSL_SHA256,
539 .algorithm_ssl = SSL_TLSV1_2,
540 .algo_strength = SSL_HIGH,
541 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
542 .strength_bits = 256,
543 .alg_bits = 256,
544 },
545
546 /* Cipher 6C */
547 {
548 .valid = 1,
549 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
550 .id = TLS1_CK_ADH_WITH_AES_128_SHA256,
551 .algorithm_mkey = SSL_kDHE,
552 .algorithm_auth = SSL_aNULL,
553 .algorithm_enc = SSL_AES128,
554 .algorithm_mac = SSL_SHA256,
555 .algorithm_ssl = SSL_TLSV1_2,
556 .algo_strength = SSL_HIGH,
557 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
558 .strength_bits = 128,
559 .alg_bits = 128,
560 },
561
562 /* Cipher 6D */
563 {
564 .valid = 1,
565 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
566 .id = TLS1_CK_ADH_WITH_AES_256_SHA256,
567 .algorithm_mkey = SSL_kDHE,
568 .algorithm_auth = SSL_aNULL,
569 .algorithm_enc = SSL_AES256,
570 .algorithm_mac = SSL_SHA256,
571 .algorithm_ssl = SSL_TLSV1_2,
572 .algo_strength = SSL_HIGH,
573 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
574 .strength_bits = 256,
575 .alg_bits = 256,
576 },
577
578 /* GOST Ciphersuites */
579
580 /* Cipher 81 */
581 {
582 .valid = 1,
583 .name = "GOST2001-GOST89-GOST89",
584 .id = 0x3000081,
585 .algorithm_mkey = SSL_kGOST,
586 .algorithm_auth = SSL_aGOST01,
587 .algorithm_enc = SSL_eGOST2814789CNT,
588 .algorithm_mac = SSL_GOST89MAC,
589 .algorithm_ssl = SSL_TLSV1,
590 .algo_strength = SSL_HIGH,
591 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
592 TLS1_STREAM_MAC,
593 .strength_bits = 256,
594 .alg_bits = 256
595 },
596
597 /* Cipher 83 */
598 {
599 .valid = 1,
600 .name = "GOST2001-NULL-GOST94",
601 .id = 0x3000083,
602 .algorithm_mkey = SSL_kGOST,
603 .algorithm_auth = SSL_aGOST01,
604 .algorithm_enc = SSL_eNULL,
605 .algorithm_mac = SSL_GOST94,
606 .algorithm_ssl = SSL_TLSV1,
607 .algo_strength = SSL_STRONG_NONE,
608 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
609 .strength_bits = 0,
610 .alg_bits = 0
611 },
612
613#ifndef OPENSSL_NO_CAMELLIA
614 /* Camellia ciphersuites from RFC4132 (256-bit portion) */
615
616 /* Cipher 84 */
617 {
618 .valid = 1,
619 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
620 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
621 .algorithm_mkey = SSL_kRSA,
622 .algorithm_auth = SSL_aRSA,
623 .algorithm_enc = SSL_CAMELLIA256,
624 .algorithm_mac = SSL_SHA1,
625 .algorithm_ssl = SSL_TLSV1,
626 .algo_strength = SSL_HIGH,
627 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
628 .strength_bits = 256,
629 .alg_bits = 256,
630 },
631
632 /* Cipher 88 */
633 {
634 .valid = 1,
635 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
636 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
637 .algorithm_mkey = SSL_kDHE,
638 .algorithm_auth = SSL_aRSA,
639 .algorithm_enc = SSL_CAMELLIA256,
640 .algorithm_mac = SSL_SHA1,
641 .algorithm_ssl = SSL_TLSV1,
642 .algo_strength = SSL_HIGH,
643 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
644 .strength_bits = 256,
645 .alg_bits = 256,
646 },
647
648 /* Cipher 89 */
649 {
650 .valid = 1,
651 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
652 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
653 .algorithm_mkey = SSL_kDHE,
654 .algorithm_auth = SSL_aNULL,
655 .algorithm_enc = SSL_CAMELLIA256,
656 .algorithm_mac = SSL_SHA1,
657 .algorithm_ssl = SSL_TLSV1,
658 .algo_strength = SSL_HIGH,
659 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
660 .strength_bits = 256,
661 .alg_bits = 256,
662 },
663#endif /* OPENSSL_NO_CAMELLIA */
664
665 /*
666 * GCM ciphersuites from RFC5288.
667 */
668
669 /* Cipher 9C */
670 {
671 .valid = 1,
672 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
673 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
674 .algorithm_mkey = SSL_kRSA,
675 .algorithm_auth = SSL_aRSA,
676 .algorithm_enc = SSL_AES128GCM,
677 .algorithm_mac = SSL_AEAD,
678 .algorithm_ssl = SSL_TLSV1_2,
679 .algo_strength = SSL_HIGH,
680 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
681 FIXED_NONCE_LEN(4)|
682 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
683 .strength_bits = 128,
684 .alg_bits = 128,
685 },
686
687 /* Cipher 9D */
688 {
689 .valid = 1,
690 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
691 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
692 .algorithm_mkey = SSL_kRSA,
693 .algorithm_auth = SSL_aRSA,
694 .algorithm_enc = SSL_AES256GCM,
695 .algorithm_mac = SSL_AEAD,
696 .algorithm_ssl = SSL_TLSV1_2,
697 .algo_strength = SSL_HIGH,
698 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
699 FIXED_NONCE_LEN(4)|
700 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
701 .strength_bits = 256,
702 .alg_bits = 256,
703 },
704
705 /* Cipher 9E */
706 {
707 .valid = 1,
708 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
709 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
710 .algorithm_mkey = SSL_kDHE,
711 .algorithm_auth = SSL_aRSA,
712 .algorithm_enc = SSL_AES128GCM,
713 .algorithm_mac = SSL_AEAD,
714 .algorithm_ssl = SSL_TLSV1_2,
715 .algo_strength = SSL_HIGH,
716 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
717 FIXED_NONCE_LEN(4)|
718 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
719 .strength_bits = 128,
720 .alg_bits = 128,
721 },
722
723 /* Cipher 9F */
724 {
725 .valid = 1,
726 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
727 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
728 .algorithm_mkey = SSL_kDHE,
729 .algorithm_auth = SSL_aRSA,
730 .algorithm_enc = SSL_AES256GCM,
731 .algorithm_mac = SSL_AEAD,
732 .algorithm_ssl = SSL_TLSV1_2,
733 .algo_strength = SSL_HIGH,
734 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
735 FIXED_NONCE_LEN(4)|
736 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
737 .strength_bits = 256,
738 .alg_bits = 256,
739 },
740
741 /* Cipher A6 */
742 {
743 .valid = 1,
744 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
745 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
746 .algorithm_mkey = SSL_kDHE,
747 .algorithm_auth = SSL_aNULL,
748 .algorithm_enc = SSL_AES128GCM,
749 .algorithm_mac = SSL_AEAD,
750 .algorithm_ssl = SSL_TLSV1_2,
751 .algo_strength = SSL_HIGH,
752 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
753 FIXED_NONCE_LEN(4)|
754 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
755 .strength_bits = 128,
756 .alg_bits = 128,
757 },
758
759 /* Cipher A7 */
760 {
761 .valid = 1,
762 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
763 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
764 .algorithm_mkey = SSL_kDHE,
765 .algorithm_auth = SSL_aNULL,
766 .algorithm_enc = SSL_AES256GCM,
767 .algorithm_mac = SSL_AEAD,
768 .algorithm_ssl = SSL_TLSV1_2,
769 .algo_strength = SSL_HIGH,
770 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
771 FIXED_NONCE_LEN(4)|
772 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
773 .strength_bits = 256,
774 .alg_bits = 256,
775 },
776
777#ifndef OPENSSL_NO_CAMELLIA
778 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
779
780 /* Cipher BA */
781 {
782 .valid = 1,
783 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
784 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
785 .algorithm_mkey = SSL_kRSA,
786 .algorithm_auth = SSL_aRSA,
787 .algorithm_enc = SSL_CAMELLIA128,
788 .algorithm_mac = SSL_SHA256,
789 .algorithm_ssl = SSL_TLSV1_2,
790 .algo_strength = SSL_HIGH,
791 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
792 .strength_bits = 128,
793 .alg_bits = 128,
794 },
795
796 /* Cipher BE */
797 {
798 .valid = 1,
799 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
800 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
801 .algorithm_mkey = SSL_kDHE,
802 .algorithm_auth = SSL_aRSA,
803 .algorithm_enc = SSL_CAMELLIA128,
804 .algorithm_mac = SSL_SHA256,
805 .algorithm_ssl = SSL_TLSV1_2,
806 .algo_strength = SSL_HIGH,
807 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
808 .strength_bits = 128,
809 .alg_bits = 128,
810 },
811
812 /* Cipher BF */
813 {
814 .valid = 1,
815 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
816 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
817 .algorithm_mkey = SSL_kDHE,
818 .algorithm_auth = SSL_aNULL,
819 .algorithm_enc = SSL_CAMELLIA128,
820 .algorithm_mac = SSL_SHA256,
821 .algorithm_ssl = SSL_TLSV1_2,
822 .algo_strength = SSL_HIGH,
823 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
824 .strength_bits = 128,
825 .alg_bits = 128,
826 },
827
828 /* Cipher C0 */
829 {
830 .valid = 1,
831 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
832 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
833 .algorithm_mkey = SSL_kRSA,
834 .algorithm_auth = SSL_aRSA,
835 .algorithm_enc = SSL_CAMELLIA256,
836 .algorithm_mac = SSL_SHA256,
837 .algorithm_ssl = SSL_TLSV1_2,
838 .algo_strength = SSL_HIGH,
839 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
840 .strength_bits = 256,
841 .alg_bits = 256,
842 },
843
844 /* Cipher C4 */
845 {
846 .valid = 1,
847 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
848 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
849 .algorithm_mkey = SSL_kDHE,
850 .algorithm_auth = SSL_aRSA,
851 .algorithm_enc = SSL_CAMELLIA256,
852 .algorithm_mac = SSL_SHA256,
853 .algorithm_ssl = SSL_TLSV1_2,
854 .algo_strength = SSL_HIGH,
855 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
856 .strength_bits = 256,
857 .alg_bits = 256,
858 },
859
860 /* Cipher C5 */
861 {
862 .valid = 1,
863 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
864 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
865 .algorithm_mkey = SSL_kDHE,
866 .algorithm_auth = SSL_aNULL,
867 .algorithm_enc = SSL_CAMELLIA256,
868 .algorithm_mac = SSL_SHA256,
869 .algorithm_ssl = SSL_TLSV1_2,
870 .algo_strength = SSL_HIGH,
871 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
872 .strength_bits = 256,
873 .alg_bits = 256,
874 },
875#endif /* OPENSSL_NO_CAMELLIA */
876
877 /*
878 * TLSv1.3 cipher suites.
879 */
880
881#ifdef LIBRESSL_HAS_TLS1_3
882 /* Cipher 1301 */
883 {
884 .valid = 1,
885 .name = TLS1_3_RFC_AES_128_GCM_SHA256,
886 .id = TLS1_3_CK_AES_128_GCM_SHA256,
887 .algorithm_mkey = SSL_kTLS1_3,
888 .algorithm_auth = SSL_aTLS1_3,
889 .algorithm_enc = SSL_AES128GCM,
890 .algorithm_mac = SSL_AEAD,
891 .algorithm_ssl = SSL_TLSV1_3,
892 .algo_strength = SSL_HIGH,
893 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
894 .strength_bits = 128,
895 .alg_bits = 128,
896 },
897
898 /* Cipher 1302 */
899 {
900 .valid = 1,
901 .name = TLS1_3_RFC_AES_256_GCM_SHA384,
902 .id = TLS1_3_CK_AES_256_GCM_SHA384,
903 .algorithm_mkey = SSL_kTLS1_3,
904 .algorithm_auth = SSL_aTLS1_3,
905 .algorithm_enc = SSL_AES256GCM,
906 .algorithm_mac = SSL_AEAD,
907 .algorithm_ssl = SSL_TLSV1_3,
908 .algo_strength = SSL_HIGH,
909 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */
910 .strength_bits = 256,
911 .alg_bits = 256,
912 },
913
914 /* Cipher 1303 */
915 {
916 .valid = 1,
917 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
918 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
919 .algorithm_mkey = SSL_kTLS1_3,
920 .algorithm_auth = SSL_aTLS1_3,
921 .algorithm_enc = SSL_CHACHA20POLY1305,
922 .algorithm_mac = SSL_AEAD,
923 .algorithm_ssl = SSL_TLSV1_3,
924 .algo_strength = SSL_HIGH,
925 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
926 .strength_bits = 256,
927 .alg_bits = 256,
928 },
929#endif
930
931 /* Cipher C006 */
932 {
933 .valid = 1,
934 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
935 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
936 .algorithm_mkey = SSL_kECDHE,
937 .algorithm_auth = SSL_aECDSA,
938 .algorithm_enc = SSL_eNULL,
939 .algorithm_mac = SSL_SHA1,
940 .algorithm_ssl = SSL_TLSV1,
941 .algo_strength = SSL_STRONG_NONE,
942 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
943 .strength_bits = 0,
944 .alg_bits = 0,
945 },
946
947 /* Cipher C007 */
948 {
949 .valid = 1,
950 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
951 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
952 .algorithm_mkey = SSL_kECDHE,
953 .algorithm_auth = SSL_aECDSA,
954 .algorithm_enc = SSL_RC4,
955 .algorithm_mac = SSL_SHA1,
956 .algorithm_ssl = SSL_TLSV1,
957 .algo_strength = SSL_LOW,
958 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
959 .strength_bits = 128,
960 .alg_bits = 128,
961 },
962
963 /* Cipher C008 */
964 {
965 .valid = 1,
966 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
967 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
968 .algorithm_mkey = SSL_kECDHE,
969 .algorithm_auth = SSL_aECDSA,
970 .algorithm_enc = SSL_3DES,
971 .algorithm_mac = SSL_SHA1,
972 .algorithm_ssl = SSL_TLSV1,
973 .algo_strength = SSL_MEDIUM,
974 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
975 .strength_bits = 112,
976 .alg_bits = 168,
977 },
978
979 /* Cipher C009 */
980 {
981 .valid = 1,
982 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
983 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
984 .algorithm_mkey = SSL_kECDHE,
985 .algorithm_auth = SSL_aECDSA,
986 .algorithm_enc = SSL_AES128,
987 .algorithm_mac = SSL_SHA1,
988 .algorithm_ssl = SSL_TLSV1,
989 .algo_strength = SSL_HIGH,
990 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
991 .strength_bits = 128,
992 .alg_bits = 128,
993 },
994
995 /* Cipher C00A */
996 {
997 .valid = 1,
998 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
999 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1000 .algorithm_mkey = SSL_kECDHE,
1001 .algorithm_auth = SSL_aECDSA,
1002 .algorithm_enc = SSL_AES256,
1003 .algorithm_mac = SSL_SHA1,
1004 .algorithm_ssl = SSL_TLSV1,
1005 .algo_strength = SSL_HIGH,
1006 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1007 .strength_bits = 256,
1008 .alg_bits = 256,
1009 },
1010
1011 /* Cipher C010 */
1012 {
1013 .valid = 1,
1014 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1015 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1016 .algorithm_mkey = SSL_kECDHE,
1017 .algorithm_auth = SSL_aRSA,
1018 .algorithm_enc = SSL_eNULL,
1019 .algorithm_mac = SSL_SHA1,
1020 .algorithm_ssl = SSL_TLSV1,
1021 .algo_strength = SSL_STRONG_NONE,
1022 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1023 .strength_bits = 0,
1024 .alg_bits = 0,
1025 },
1026
1027 /* Cipher C011 */
1028 {
1029 .valid = 1,
1030 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1031 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1032 .algorithm_mkey = SSL_kECDHE,
1033 .algorithm_auth = SSL_aRSA,
1034 .algorithm_enc = SSL_RC4,
1035 .algorithm_mac = SSL_SHA1,
1036 .algorithm_ssl = SSL_TLSV1,
1037 .algo_strength = SSL_LOW,
1038 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1039 .strength_bits = 128,
1040 .alg_bits = 128,
1041 },
1042
1043 /* Cipher C012 */
1044 {
1045 .valid = 1,
1046 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1047 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1048 .algorithm_mkey = SSL_kECDHE,
1049 .algorithm_auth = SSL_aRSA,
1050 .algorithm_enc = SSL_3DES,
1051 .algorithm_mac = SSL_SHA1,
1052 .algorithm_ssl = SSL_TLSV1,
1053 .algo_strength = SSL_MEDIUM,
1054 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1055 .strength_bits = 112,
1056 .alg_bits = 168,
1057 },
1058
1059 /* Cipher C013 */
1060 {
1061 .valid = 1,
1062 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1063 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1064 .algorithm_mkey = SSL_kECDHE,
1065 .algorithm_auth = SSL_aRSA,
1066 .algorithm_enc = SSL_AES128,
1067 .algorithm_mac = SSL_SHA1,
1068 .algorithm_ssl = SSL_TLSV1,
1069 .algo_strength = SSL_HIGH,
1070 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1071 .strength_bits = 128,
1072 .alg_bits = 128,
1073 },
1074
1075 /* Cipher C014 */
1076 {
1077 .valid = 1,
1078 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1079 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1080 .algorithm_mkey = SSL_kECDHE,
1081 .algorithm_auth = SSL_aRSA,
1082 .algorithm_enc = SSL_AES256,
1083 .algorithm_mac = SSL_SHA1,
1084 .algorithm_ssl = SSL_TLSV1,
1085 .algo_strength = SSL_HIGH,
1086 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1087 .strength_bits = 256,
1088 .alg_bits = 256,
1089 },
1090
1091 /* Cipher C015 */
1092 {
1093 .valid = 1,
1094 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1095 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1096 .algorithm_mkey = SSL_kECDHE,
1097 .algorithm_auth = SSL_aNULL,
1098 .algorithm_enc = SSL_eNULL,
1099 .algorithm_mac = SSL_SHA1,
1100 .algorithm_ssl = SSL_TLSV1,
1101 .algo_strength = SSL_STRONG_NONE,
1102 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1103 .strength_bits = 0,
1104 .alg_bits = 0,
1105 },
1106
1107 /* Cipher C016 */
1108 {
1109 .valid = 1,
1110 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1111 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1112 .algorithm_mkey = SSL_kECDHE,
1113 .algorithm_auth = SSL_aNULL,
1114 .algorithm_enc = SSL_RC4,
1115 .algorithm_mac = SSL_SHA1,
1116 .algorithm_ssl = SSL_TLSV1,
1117 .algo_strength = SSL_LOW,
1118 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1119 .strength_bits = 128,
1120 .alg_bits = 128,
1121 },
1122
1123 /* Cipher C017 */
1124 {
1125 .valid = 1,
1126 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1127 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1128 .algorithm_mkey = SSL_kECDHE,
1129 .algorithm_auth = SSL_aNULL,
1130 .algorithm_enc = SSL_3DES,
1131 .algorithm_mac = SSL_SHA1,
1132 .algorithm_ssl = SSL_TLSV1,
1133 .algo_strength = SSL_MEDIUM,
1134 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1135 .strength_bits = 112,
1136 .alg_bits = 168,
1137 },
1138
1139 /* Cipher C018 */
1140 {
1141 .valid = 1,
1142 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1143 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1144 .algorithm_mkey = SSL_kECDHE,
1145 .algorithm_auth = SSL_aNULL,
1146 .algorithm_enc = SSL_AES128,
1147 .algorithm_mac = SSL_SHA1,
1148 .algorithm_ssl = SSL_TLSV1,
1149 .algo_strength = SSL_HIGH,
1150 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1151 .strength_bits = 128,
1152 .alg_bits = 128,
1153 },
1154
1155 /* Cipher C019 */
1156 {
1157 .valid = 1,
1158 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1159 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1160 .algorithm_mkey = SSL_kECDHE,
1161 .algorithm_auth = SSL_aNULL,
1162 .algorithm_enc = SSL_AES256,
1163 .algorithm_mac = SSL_SHA1,
1164 .algorithm_ssl = SSL_TLSV1,
1165 .algo_strength = SSL_HIGH,
1166 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1167 .strength_bits = 256,
1168 .alg_bits = 256,
1169 },
1170
1171
1172 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1173
1174 /* Cipher C023 */
1175 {
1176 .valid = 1,
1177 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1178 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1179 .algorithm_mkey = SSL_kECDHE,
1180 .algorithm_auth = SSL_aECDSA,
1181 .algorithm_enc = SSL_AES128,
1182 .algorithm_mac = SSL_SHA256,
1183 .algorithm_ssl = SSL_TLSV1_2,
1184 .algo_strength = SSL_HIGH,
1185 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1186 .strength_bits = 128,
1187 .alg_bits = 128,
1188 },
1189
1190 /* Cipher C024 */
1191 {
1192 .valid = 1,
1193 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1194 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1195 .algorithm_mkey = SSL_kECDHE,
1196 .algorithm_auth = SSL_aECDSA,
1197 .algorithm_enc = SSL_AES256,
1198 .algorithm_mac = SSL_SHA384,
1199 .algorithm_ssl = SSL_TLSV1_2,
1200 .algo_strength = SSL_HIGH,
1201 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1202 .strength_bits = 256,
1203 .alg_bits = 256,
1204 },
1205
1206 /* Cipher C027 */
1207 {
1208 .valid = 1,
1209 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1210 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1211 .algorithm_mkey = SSL_kECDHE,
1212 .algorithm_auth = SSL_aRSA,
1213 .algorithm_enc = SSL_AES128,
1214 .algorithm_mac = SSL_SHA256,
1215 .algorithm_ssl = SSL_TLSV1_2,
1216 .algo_strength = SSL_HIGH,
1217 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1218 .strength_bits = 128,
1219 .alg_bits = 128,
1220 },
1221
1222 /* Cipher C028 */
1223 {
1224 .valid = 1,
1225 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1226 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1227 .algorithm_mkey = SSL_kECDHE,
1228 .algorithm_auth = SSL_aRSA,
1229 .algorithm_enc = SSL_AES256,
1230 .algorithm_mac = SSL_SHA384,
1231 .algorithm_ssl = SSL_TLSV1_2,
1232 .algo_strength = SSL_HIGH,
1233 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1234 .strength_bits = 256,
1235 .alg_bits = 256,
1236 },
1237
1238 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
1239
1240 /* Cipher C02B */
1241 {
1242 .valid = 1,
1243 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1244 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1245 .algorithm_mkey = SSL_kECDHE,
1246 .algorithm_auth = SSL_aECDSA,
1247 .algorithm_enc = SSL_AES128GCM,
1248 .algorithm_mac = SSL_AEAD,
1249 .algorithm_ssl = SSL_TLSV1_2,
1250 .algo_strength = SSL_HIGH,
1251 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1252 FIXED_NONCE_LEN(4)|
1253 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1254 .strength_bits = 128,
1255 .alg_bits = 128,
1256 },
1257
1258 /* Cipher C02C */
1259 {
1260 .valid = 1,
1261 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1262 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1263 .algorithm_mkey = SSL_kECDHE,
1264 .algorithm_auth = SSL_aECDSA,
1265 .algorithm_enc = SSL_AES256GCM,
1266 .algorithm_mac = SSL_AEAD,
1267 .algorithm_ssl = SSL_TLSV1_2,
1268 .algo_strength = SSL_HIGH,
1269 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1270 FIXED_NONCE_LEN(4)|
1271 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1272 .strength_bits = 256,
1273 .alg_bits = 256,
1274 },
1275
1276 /* Cipher C02F */
1277 {
1278 .valid = 1,
1279 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1280 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1281 .algorithm_mkey = SSL_kECDHE,
1282 .algorithm_auth = SSL_aRSA,
1283 .algorithm_enc = SSL_AES128GCM,
1284 .algorithm_mac = SSL_AEAD,
1285 .algorithm_ssl = SSL_TLSV1_2,
1286 .algo_strength = SSL_HIGH,
1287 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1288 FIXED_NONCE_LEN(4)|
1289 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1290 .strength_bits = 128,
1291 .alg_bits = 128,
1292 },
1293
1294 /* Cipher C030 */
1295 {
1296 .valid = 1,
1297 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1298 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1299 .algorithm_mkey = SSL_kECDHE,
1300 .algorithm_auth = SSL_aRSA,
1301 .algorithm_enc = SSL_AES256GCM,
1302 .algorithm_mac = SSL_AEAD,
1303 .algorithm_ssl = SSL_TLSV1_2,
1304 .algo_strength = SSL_HIGH,
1305 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1306 FIXED_NONCE_LEN(4)|
1307 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1308 .strength_bits = 256,
1309 .alg_bits = 256,
1310 },
1311
1312 /* Cipher CCA8 */
1313 {
1314 .valid = 1,
1315 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1316 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1317 .algorithm_mkey = SSL_kECDHE,
1318 .algorithm_auth = SSL_aRSA,
1319 .algorithm_enc = SSL_CHACHA20POLY1305,
1320 .algorithm_mac = SSL_AEAD,
1321 .algorithm_ssl = SSL_TLSV1_2,
1322 .algo_strength = SSL_HIGH,
1323 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1324 FIXED_NONCE_LEN(12),
1325 .strength_bits = 256,
1326 .alg_bits = 256,
1327 },
1328
1329 /* Cipher CCA9 */
1330 {
1331 .valid = 1,
1332 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1333 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1334 .algorithm_mkey = SSL_kECDHE,
1335 .algorithm_auth = SSL_aECDSA,
1336 .algorithm_enc = SSL_CHACHA20POLY1305,
1337 .algorithm_mac = SSL_AEAD,
1338 .algorithm_ssl = SSL_TLSV1_2,
1339 .algo_strength = SSL_HIGH,
1340 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1341 FIXED_NONCE_LEN(12),
1342 .strength_bits = 256,
1343 .alg_bits = 256,
1344 },
1345
1346 /* Cipher CCAA */
1347 {
1348 .valid = 1,
1349 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1350 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1351 .algorithm_mkey = SSL_kDHE,
1352 .algorithm_auth = SSL_aRSA,
1353 .algorithm_enc = SSL_CHACHA20POLY1305,
1354 .algorithm_mac = SSL_AEAD,
1355 .algorithm_ssl = SSL_TLSV1_2,
1356 .algo_strength = SSL_HIGH,
1357 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1358 FIXED_NONCE_LEN(12),
1359 .strength_bits = 256,
1360 .alg_bits = 256,
1361 },
1362
1363 /* Cipher FF85 FIXME IANA */
1364 {
1365 .valid = 1,
1366 .name = "GOST2012256-GOST89-GOST89",
1367 .id = 0x300ff85, /* FIXME IANA */
1368 .algorithm_mkey = SSL_kGOST,
1369 .algorithm_auth = SSL_aGOST01,
1370 .algorithm_enc = SSL_eGOST2814789CNT,
1371 .algorithm_mac = SSL_GOST89MAC,
1372 .algorithm_ssl = SSL_TLSV1,
1373 .algo_strength = SSL_HIGH,
1374 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1375 TLS1_STREAM_MAC,
1376 .strength_bits = 256,
1377 .alg_bits = 256
1378 },
1379
1380 /* Cipher FF87 FIXME IANA */
1381 {
1382 .valid = 1,
1383 .name = "GOST2012256-NULL-STREEBOG256",
1384 .id = 0x300ff87, /* FIXME IANA */
1385 .algorithm_mkey = SSL_kGOST,
1386 .algorithm_auth = SSL_aGOST01,
1387 .algorithm_enc = SSL_eNULL,
1388 .algorithm_mac = SSL_STREEBOG256,
1389 .algorithm_ssl = SSL_TLSV1,
1390 .algo_strength = SSL_STRONG_NONE,
1391 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1392 .strength_bits = 0,
1393 .alg_bits = 0
1394 },
1395
1396
1397 /* end of list */
1398};
1399
1400int
1401ssl3_num_ciphers(void)
1402{
1403 return (SSL3_NUM_CIPHERS);
1404}
1405
1406const SSL_CIPHER *
1407ssl3_get_cipher(unsigned int u)
1408{
1409 if (u < SSL3_NUM_CIPHERS)
1410 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1411 else
1412 return (NULL);
1413}
1414
1415const SSL_CIPHER *
1416ssl3_get_cipher_by_id(unsigned int id)
1417{
1418 const SSL_CIPHER *cp;
1419 SSL_CIPHER c;
1420
1421 c.id = id;
1422 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
1423 if (cp != NULL && cp->valid == 1)
1424 return (cp);
1425
1426 return (NULL);
1427}
1428
1429const SSL_CIPHER *
1430ssl3_get_cipher_by_value(uint16_t value)
1431{
1432 return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1433}
1434
1435uint16_t
1436ssl3_cipher_get_value(const SSL_CIPHER *c)
1437{
1438 return (c->id & SSL3_CK_VALUE_MASK);
1439}
1440
1441int
1442ssl3_pending(const SSL *s)
1443{
1444 if (s->internal->rstate == SSL_ST_READ_BODY)
1445 return 0;
1446
1447 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ?
1448 s->s3->rrec.length : 0;
1449}
1450
1451int
1452ssl3_handshake_msg_hdr_len(SSL *s)
1453{
1454 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH :
1455 SSL3_HM_HEADER_LENGTH);
1456}
1457
1458int
1459ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1460{
1461 int ret = 0;
1462
1463 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1464 goto err;
1465 if (!CBB_add_u8(handshake, msg_type))
1466 goto err;
1467 if (SSL_is_dtls(s)) {
1468 unsigned char *data;
1469
1470 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1471 SSL3_HM_HEADER_LENGTH))
1472 goto err;
1473 }
1474 if (!CBB_add_u24_length_prefixed(handshake, body))
1475 goto err;
1476
1477 ret = 1;
1478
1479 err:
1480 return (ret);
1481}
1482
1483int
1484ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1485{
1486 unsigned char *data = NULL;
1487 size_t outlen;
1488 int ret = 0;
1489
1490 if (!CBB_finish(handshake, &data, &outlen))
1491 goto err;
1492
1493 if (outlen > INT_MAX)
1494 goto err;
1495
1496 if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen))
1497 goto err;
1498
1499 memcpy(s->internal->init_buf->data, data, outlen);
1500
1501 s->internal->init_num = (int)outlen;
1502 s->internal->init_off = 0;
1503
1504 if (SSL_is_dtls(s)) {
1505 unsigned long len;
1506 uint8_t msg_type;
1507 CBS cbs;
1508
1509 CBS_init(&cbs, data, outlen);
1510 if (!CBS_get_u8(&cbs, &msg_type))
1511 goto err;
1512
1513 len = outlen - ssl3_handshake_msg_hdr_len(s);
1514
1515 dtls1_set_message_header(s, msg_type, len, 0, len);
1516 dtls1_buffer_message(s, 0);
1517 }
1518
1519 ret = 1;
1520
1521 err:
1522 free(data);
1523
1524 return (ret);
1525}
1526
1527int
1528ssl3_handshake_write(SSL *s)
1529{
1530 return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1531}
1532
1533int
1534ssl3_record_write(SSL *s, int type)
1535{
1536 if (SSL_is_dtls(s))
1537 return dtls1_do_write(s, type);
1538
1539 return ssl3_do_write(s, type);
1540}
1541
1542int
1543ssl3_new(SSL *s)
1544{
1545 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1546 return (0);
1547
1548 s->method->ssl_clear(s);
1549
1550 return (1);
1551}
1552
1553void
1554ssl3_free(SSL *s)
1555{
1556 if (s == NULL)
1557 return;
1558
1559 tls1_cleanup_key_block(s);
1560 ssl3_release_read_buffer(s);
1561 ssl3_release_write_buffer(s);
1562 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1563
1564 tls_key_share_free(s->s3->hs.key_share);
1565
1566 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1567 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1568 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1569
1570 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1571 sk_X509_pop_free(s->internal->verified_chain, X509_free);
1572
1573 tls1_transcript_free(s);
1574 tls1_transcript_hash_free(s);
1575
1576 free(s->s3->alpn_selected);
1577
1578 freezero(s->s3, sizeof(*s->s3));
1579
1580 s->s3 = NULL;
1581}
1582
1583void
1584ssl3_clear(SSL *s)
1585{
1586 unsigned char *rp, *wp;
1587 size_t rlen, wlen;
1588
1589 tls1_cleanup_key_block(s);
1590 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1591 sk_X509_pop_free(s->internal->verified_chain, X509_free);
1592 s->internal->verified_chain = NULL;
1593
1594 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1595 s->s3->hs.sigalgs = NULL;
1596 s->s3->hs.sigalgs_len = 0;
1597
1598 tls_key_share_free(s->s3->hs.key_share);
1599 s->s3->hs.key_share = NULL;
1600
1601 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1602 s->s3->hs.tls13.secrets = NULL;
1603 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1604 s->s3->hs.tls13.cookie = NULL;
1605 s->s3->hs.tls13.cookie_len = 0;
1606 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1607
1608 s->s3->hs.extensions_seen = 0;
1609
1610 rp = s->s3->rbuf.buf;
1611 wp = s->s3->wbuf.buf;
1612 rlen = s->s3->rbuf.len;
1613 wlen = s->s3->wbuf.len;
1614
1615 tls1_transcript_free(s);
1616 tls1_transcript_hash_free(s);
1617
1618 free(s->s3->alpn_selected);
1619 s->s3->alpn_selected = NULL;
1620 s->s3->alpn_selected_len = 0;
1621
1622 memset(s->s3, 0, sizeof(*s->s3));
1623
1624 s->s3->rbuf.buf = rp;
1625 s->s3->wbuf.buf = wp;
1626 s->s3->rbuf.len = rlen;
1627 s->s3->wbuf.len = wlen;
1628
1629 ssl_free_wbio_buffer(s);
1630
1631 /* Not needed... */
1632 s->s3->renegotiate = 0;
1633 s->s3->total_renegotiations = 0;
1634 s->s3->num_renegotiations = 0;
1635 s->s3->in_read_app_data = 0;
1636
1637 s->internal->packet_length = 0;
1638 s->version = TLS1_VERSION;
1639
1640 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
1641}
1642
1643long
1644_SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1645{
1646 EVP_PKEY *pkey = NULL;
1647 int ret = 0;
1648
1649 *key = NULL;
1650
1651 if (s->s3->hs.key_share == NULL)
1652 goto err;
1653
1654 if ((pkey = EVP_PKEY_new()) == NULL)
1655 goto err;
1656 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey))
1657 goto err;
1658
1659 *key = pkey;
1660 pkey = NULL;
1661
1662 ret = 1;
1663
1664 err:
1665 EVP_PKEY_free(pkey);
1666
1667 return (ret);
1668}
1669
1670static int
1671_SSL_session_reused(SSL *s)
1672{
1673 return s->internal->hit;
1674}
1675
1676static int
1677_SSL_num_renegotiations(SSL *s)
1678{
1679 return s->s3->num_renegotiations;
1680}
1681
1682static int
1683_SSL_clear_num_renegotiations(SSL *s)
1684{
1685 int renegs;
1686
1687 renegs = s->s3->num_renegotiations;
1688 s->s3->num_renegotiations = 0;
1689
1690 return renegs;
1691}
1692
1693static int
1694_SSL_total_renegotiations(SSL *s)
1695{
1696 return s->s3->total_renegotiations;
1697}
1698
1699static int
1700_SSL_set_tmp_dh(SSL *s, DH *dh)
1701{
1702 DH *dhe_params;
1703
1704 if (dh == NULL) {
1705 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1706 return 0;
1707 }
1708
1709 if ((dhe_params = DHparams_dup(dh)) == NULL) {
1710 SSLerror(s, ERR_R_DH_LIB);
1711 return 0;
1712 }
1713
1714 DH_free(s->cert->dhe_params);
1715 s->cert->dhe_params = dhe_params;
1716
1717 return 1;
1718}
1719
1720static int
1721_SSL_set_dh_auto(SSL *s, int state)
1722{
1723 s->cert->dhe_params_auto = state;
1724 return 1;
1725}
1726
1727static int
1728_SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1729{
1730 const EC_GROUP *group;
1731 int nid;
1732
1733 if (ecdh == NULL)
1734 return 0;
1735 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1736 return 0;
1737
1738 nid = EC_GROUP_get_curve_name(group);
1739 return SSL_set1_groups(s, &nid, 1);
1740}
1741
1742static int
1743_SSL_set_ecdh_auto(SSL *s, int state)
1744{
1745 return 1;
1746}
1747
1748static int
1749_SSL_set_tlsext_host_name(SSL *s, const char *name)
1750{
1751 int is_ip;
1752 CBS cbs;
1753
1754 free(s->tlsext_hostname);
1755 s->tlsext_hostname = NULL;
1756
1757 if (name == NULL)
1758 return 1;
1759
1760 CBS_init(&cbs, name, strlen(name));
1761
1762 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) {
1763 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1764 return 0;
1765 }
1766 if ((s->tlsext_hostname = strdup(name)) == NULL) {
1767 SSLerror(s, ERR_R_INTERNAL_ERROR);
1768 return 0;
1769 }
1770
1771 return 1;
1772}
1773
1774static int
1775_SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1776{
1777 s->internal->tlsext_debug_arg = arg;
1778 return 1;
1779}
1780
1781static int
1782_SSL_get_tlsext_status_type(SSL *s)
1783{
1784 return s->tlsext_status_type;
1785}
1786
1787static int
1788_SSL_set_tlsext_status_type(SSL *s, int type)
1789{
1790 s->tlsext_status_type = type;
1791 return 1;
1792}
1793
1794static int
1795_SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1796{
1797 *exts = s->internal->tlsext_ocsp_exts;
1798 return 1;
1799}
1800
1801static int
1802_SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1803{
1804 /* XXX - leak... */
1805 s->internal->tlsext_ocsp_exts = exts;
1806 return 1;
1807}
1808
1809static int
1810_SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1811{
1812 *ids = s->internal->tlsext_ocsp_ids;
1813 return 1;
1814}
1815
1816static int
1817_SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1818{
1819 /* XXX - leak... */
1820 s->internal->tlsext_ocsp_ids = ids;
1821 return 1;
1822}
1823
1824static int
1825_SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1826{
1827 if (s->internal->tlsext_ocsp_resp != NULL &&
1828 s->internal->tlsext_ocsp_resp_len < INT_MAX) {
1829 *resp = s->internal->tlsext_ocsp_resp;
1830 return (int)s->internal->tlsext_ocsp_resp_len;
1831 }
1832
1833 *resp = NULL;
1834
1835 return -1;
1836}
1837
1838static int
1839_SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1840{
1841 free(s->internal->tlsext_ocsp_resp);
1842 s->internal->tlsext_ocsp_resp = NULL;
1843 s->internal->tlsext_ocsp_resp_len = 0;
1844
1845 if (resp_len < 0)
1846 return 0;
1847
1848 s->internal->tlsext_ocsp_resp = resp;
1849 s->internal->tlsext_ocsp_resp_len = (size_t)resp_len;
1850
1851 return 1;
1852}
1853
1854int
1855SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
1856{
1857 return ssl_cert_set0_chain(ssl->cert, chain);
1858}
1859
1860int
1861SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
1862{
1863 return ssl_cert_set1_chain(ssl->cert, chain);
1864}
1865
1866int
1867SSL_add0_chain_cert(SSL *ssl, X509 *x509)
1868{
1869 return ssl_cert_add0_chain_cert(ssl->cert, x509);
1870}
1871
1872int
1873SSL_add1_chain_cert(SSL *ssl, X509 *x509)
1874{
1875 return ssl_cert_add1_chain_cert(ssl->cert, x509);
1876}
1877
1878int
1879SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
1880{
1881 *out_chain = NULL;
1882
1883 if (ssl->cert->key != NULL)
1884 *out_chain = ssl->cert->key->chain;
1885
1886 return 1;
1887}
1888
1889int
1890SSL_clear_chain_certs(SSL *ssl)
1891{
1892 return ssl_cert_set0_chain(ssl->cert, NULL);
1893}
1894
1895int
1896SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1897{
1898 return tls1_set_groups(&s->internal->tlsext_supportedgroups,
1899 &s->internal->tlsext_supportedgroups_length, groups, groups_len);
1900}
1901
1902int
1903SSL_set1_groups_list(SSL *s, const char *groups)
1904{
1905 return tls1_set_group_list(&s->internal->tlsext_supportedgroups,
1906 &s->internal->tlsext_supportedgroups_length, groups);
1907}
1908
1909static int
1910_SSL_get_signature_nid(SSL *s, int *nid)
1911{
1912 const struct ssl_sigalg *sigalg;
1913
1914 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1915 return 0;
1916
1917 *nid = EVP_MD_type(sigalg->md());
1918
1919 return 1;
1920}
1921
1922static int
1923_SSL_get_peer_signature_nid(SSL *s, int *nid)
1924{
1925 const struct ssl_sigalg *sigalg;
1926
1927 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
1928 return 0;
1929
1930 *nid = EVP_MD_type(sigalg->md());
1931
1932 return 1;
1933}
1934
1935int
1936SSL_get_signature_type_nid(const SSL *s, int *nid)
1937{
1938 const struct ssl_sigalg *sigalg;
1939
1940 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1941 return 0;
1942
1943 *nid = sigalg->key_type;
1944 if (sigalg->key_type == EVP_PKEY_RSA &&
1945 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
1946 *nid = EVP_PKEY_RSA_PSS;
1947
1948 return 1;
1949}
1950
1951int
1952SSL_get_peer_signature_type_nid(const SSL *s, int *nid)
1953{
1954 const struct ssl_sigalg *sigalg;
1955
1956 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
1957 return 0;
1958
1959 *nid = sigalg->key_type;
1960 if (sigalg->key_type == EVP_PKEY_RSA &&
1961 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
1962 *nid = EVP_PKEY_RSA_PSS;
1963
1964 return 1;
1965}
1966
1967long
1968ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1969{
1970 switch (cmd) {
1971 case SSL_CTRL_GET_SESSION_REUSED:
1972 return _SSL_session_reused(s);
1973
1974 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1975 return _SSL_num_renegotiations(s);
1976
1977 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
1978 return _SSL_clear_num_renegotiations(s);
1979
1980 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
1981 return _SSL_total_renegotiations(s);
1982
1983 case SSL_CTRL_SET_TMP_DH:
1984 return _SSL_set_tmp_dh(s, parg);
1985
1986 case SSL_CTRL_SET_TMP_DH_CB:
1987 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1988 return 0;
1989
1990 case SSL_CTRL_SET_DH_AUTO:
1991 return _SSL_set_dh_auto(s, larg);
1992
1993 case SSL_CTRL_SET_TMP_ECDH:
1994 return _SSL_set_tmp_ecdh(s, parg);
1995
1996 case SSL_CTRL_SET_TMP_ECDH_CB:
1997 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1998 return 0;
1999
2000 case SSL_CTRL_SET_ECDH_AUTO:
2001 return _SSL_set_ecdh_auto(s, larg);
2002
2003 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
2004 if (larg != TLSEXT_NAMETYPE_host_name) {
2005 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
2006 return 0;
2007 }
2008 return _SSL_set_tlsext_host_name(s, parg);
2009
2010 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
2011 return _SSL_set_tlsext_debug_arg(s, parg);
2012
2013 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
2014 return _SSL_get_tlsext_status_type(s);
2015
2016 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
2017 return _SSL_set_tlsext_status_type(s, larg);
2018
2019 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
2020 return _SSL_get_tlsext_status_exts(s, parg);
2021
2022 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
2023 return _SSL_set_tlsext_status_exts(s, parg);
2024
2025 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
2026 return _SSL_get_tlsext_status_ids(s, parg);
2027
2028 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
2029 return _SSL_set_tlsext_status_ids(s, parg);
2030
2031 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
2032 return _SSL_get_tlsext_status_ocsp_resp(s, parg);
2033
2034 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
2035 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
2036
2037 case SSL_CTRL_CHAIN:
2038 if (larg == 0)
2039 return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
2040 else
2041 return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
2042
2043 case SSL_CTRL_CHAIN_CERT:
2044 if (larg == 0)
2045 return SSL_add0_chain_cert(s, (X509 *)parg);
2046 else
2047 return SSL_add1_chain_cert(s, (X509 *)parg);
2048
2049 case SSL_CTRL_GET_CHAIN_CERTS:
2050 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
2051
2052 case SSL_CTRL_SET_GROUPS:
2053 return SSL_set1_groups(s, parg, larg);
2054
2055 case SSL_CTRL_SET_GROUPS_LIST:
2056 return SSL_set1_groups_list(s, parg);
2057
2058 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */
2059 case SSL_CTRL_GET_SERVER_TMP_KEY:
2060 if (s->server != 0)
2061 return 0;
2062 return _SSL_get_peer_tmp_key(s, parg);
2063
2064 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2065 return SSL_get_min_proto_version(s);
2066
2067 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2068 return SSL_get_max_proto_version(s);
2069
2070 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2071 if (larg < 0 || larg > UINT16_MAX)
2072 return 0;
2073 return SSL_set_min_proto_version(s, larg);
2074
2075 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2076 if (larg < 0 || larg > UINT16_MAX)
2077 return 0;
2078 return SSL_set_max_proto_version(s, larg);
2079
2080 case SSL_CTRL_GET_SIGNATURE_NID:
2081 return _SSL_get_signature_nid(s, parg);
2082
2083 case SSL_CTRL_GET_PEER_SIGNATURE_NID:
2084 return _SSL_get_peer_signature_nid(s, parg);
2085
2086 /*
2087 * Legacy controls that should eventually be removed.
2088 */
2089 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2090 return 0;
2091
2092 case SSL_CTRL_GET_FLAGS:
2093 return (int)(s->s3->flags);
2094
2095 case SSL_CTRL_NEED_TMP_RSA:
2096 return 0;
2097
2098 case SSL_CTRL_SET_TMP_RSA:
2099 case SSL_CTRL_SET_TMP_RSA_CB:
2100 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2101 return 0;
2102 }
2103
2104 return 0;
2105}
2106
2107long
2108ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2109{
2110 switch (cmd) {
2111 case SSL_CTRL_SET_TMP_RSA_CB:
2112 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2113 return 0;
2114
2115 case SSL_CTRL_SET_TMP_DH_CB:
2116 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp;
2117 return 1;
2118
2119 case SSL_CTRL_SET_TMP_ECDH_CB:
2120 return 1;
2121
2122 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2123 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int,
2124 unsigned char *, int, void *))fp;
2125 return 1;
2126 }
2127
2128 return 0;
2129}
2130
2131static int
2132_SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2133{
2134 DH *dhe_params;
2135
2136 if (dh == NULL) {
2137 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
2138 return 0;
2139 }
2140
2141 if ((dhe_params = DHparams_dup(dh)) == NULL) {
2142 SSLerrorx(ERR_R_DH_LIB);
2143 return 0;
2144 }
2145
2146 DH_free(ctx->internal->cert->dhe_params);
2147 ctx->internal->cert->dhe_params = dhe_params;
2148
2149 return 1;
2150}
2151
2152static int
2153_SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
2154{
2155 ctx->internal->cert->dhe_params_auto = state;
2156 return 1;
2157}
2158
2159static int
2160_SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
2161{
2162 const EC_GROUP *group;
2163 int nid;
2164
2165 if (ecdh == NULL)
2166 return 0;
2167 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2168 return 0;
2169
2170 nid = EC_GROUP_get_curve_name(group);
2171 return SSL_CTX_set1_groups(ctx, &nid, 1);
2172}
2173
2174static int
2175_SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2176{
2177 return 1;
2178}
2179
2180static int
2181_SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2182{
2183 ctx->internal->tlsext_servername_arg = arg;
2184 return 1;
2185}
2186
2187static int
2188_SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2189{
2190 if (keys == NULL)
2191 return 48;
2192
2193 if (keys_len != 48) {
2194 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2195 return 0;
2196 }
2197
2198 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16);
2199 memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16);
2200 memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16);
2201
2202 return 1;
2203}
2204
2205static int
2206_SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2207{
2208 if (keys == NULL)
2209 return 48;
2210
2211 if (keys_len != 48) {
2212 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2213 return 0;
2214 }
2215
2216 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16);
2217 memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16);
2218 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16);
2219
2220 return 1;
2221}
2222
2223static int
2224_SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2225{
2226 *arg = ctx->internal->tlsext_status_arg;
2227 return 1;
2228}
2229
2230static int
2231_SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2232{
2233 ctx->internal->tlsext_status_arg = arg;
2234 return 1;
2235}
2236
2237int
2238SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2239{
2240 return ssl_cert_set0_chain(ctx->internal->cert, chain);
2241}
2242
2243int
2244SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2245{
2246 return ssl_cert_set1_chain(ctx->internal->cert, chain);
2247}
2248
2249int
2250SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
2251{
2252 return ssl_cert_add0_chain_cert(ctx->internal->cert, x509);
2253}
2254
2255int
2256SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
2257{
2258 return ssl_cert_add1_chain_cert(ctx->internal->cert, x509);
2259}
2260
2261int
2262SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
2263{
2264 *out_chain = NULL;
2265
2266 if (ctx->internal->cert->key != NULL)
2267 *out_chain = ctx->internal->cert->key->chain;
2268
2269 return 1;
2270}
2271
2272int
2273SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
2274{
2275 return ssl_cert_set0_chain(ctx->internal->cert, NULL);
2276}
2277
2278static int
2279_SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2280{
2281 if (ctx->extra_certs == NULL) {
2282 if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2283 return 0;
2284 }
2285 if (sk_X509_push(ctx->extra_certs, cert) == 0)
2286 return 0;
2287
2288 return 1;
2289}
2290
2291static int
2292_SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2293{
2294 *certs = ctx->extra_certs;
2295 if (*certs == NULL)
2296 *certs = ctx->internal->cert->key->chain;
2297
2298 return 1;
2299}
2300
2301static int
2302_SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs)
2303{
2304 *certs = ctx->extra_certs;
2305 return 1;
2306}
2307
2308static int
2309_SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2310{
2311 sk_X509_pop_free(ctx->extra_certs, X509_free);
2312 ctx->extra_certs = NULL;
2313 return 1;
2314}
2315
2316int
2317SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2318{
2319 return tls1_set_groups(&ctx->internal->tlsext_supportedgroups,
2320 &ctx->internal->tlsext_supportedgroups_length, groups, groups_len);
2321}
2322
2323int
2324SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2325{
2326 return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups,
2327 &ctx->internal->tlsext_supportedgroups_length, groups);
2328}
2329
2330long
2331ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2332{
2333 switch (cmd) {
2334 case SSL_CTRL_SET_TMP_DH:
2335 return _SSL_CTX_set_tmp_dh(ctx, parg);
2336
2337 case SSL_CTRL_SET_TMP_DH_CB:
2338 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2339 return 0;
2340
2341 case SSL_CTRL_SET_DH_AUTO:
2342 return _SSL_CTX_set_dh_auto(ctx, larg);
2343
2344 case SSL_CTRL_SET_TMP_ECDH:
2345 return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2346
2347 case SSL_CTRL_SET_TMP_ECDH_CB:
2348 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2349 return 0;
2350
2351 case SSL_CTRL_SET_ECDH_AUTO:
2352 return _SSL_CTX_set_ecdh_auto(ctx, larg);
2353
2354 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2355 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2356
2357 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2358 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2359
2360 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2361 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2362
2363 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2364 return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2365
2366 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2367 return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2368
2369 case SSL_CTRL_CHAIN:
2370 if (larg == 0)
2371 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
2372 else
2373 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
2374
2375 case SSL_CTRL_CHAIN_CERT:
2376 if (larg == 0)
2377 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
2378 else
2379 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
2380
2381 case SSL_CTRL_GET_CHAIN_CERTS:
2382 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
2383
2384 case SSL_CTRL_EXTRA_CHAIN_CERT:
2385 return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2386
2387 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2388 if (larg == 0)
2389 return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2390 else
2391 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg);
2392
2393 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2394 return _SSL_CTX_clear_extra_chain_certs(ctx);
2395
2396 case SSL_CTRL_SET_GROUPS:
2397 return SSL_CTX_set1_groups(ctx, parg, larg);
2398
2399 case SSL_CTRL_SET_GROUPS_LIST:
2400 return SSL_CTX_set1_groups_list(ctx, parg);
2401
2402 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2403 return SSL_CTX_get_min_proto_version(ctx);
2404
2405 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2406 return SSL_CTX_get_max_proto_version(ctx);
2407
2408 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2409 if (larg < 0 || larg > UINT16_MAX)
2410 return 0;
2411 return SSL_CTX_set_min_proto_version(ctx, larg);
2412
2413 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2414 if (larg < 0 || larg > UINT16_MAX)
2415 return 0;
2416 return SSL_CTX_set_max_proto_version(ctx, larg);
2417
2418 /*
2419 * Legacy controls that should eventually be removed.
2420 */
2421 case SSL_CTRL_NEED_TMP_RSA:
2422 return 0;
2423
2424 case SSL_CTRL_SET_TMP_RSA:
2425 case SSL_CTRL_SET_TMP_RSA_CB:
2426 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2427 return 0;
2428 }
2429
2430 return 0;
2431}
2432
2433long
2434ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2435{
2436 switch (cmd) {
2437 case SSL_CTRL_SET_TMP_RSA_CB:
2438 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2439 return 0;
2440
2441 case SSL_CTRL_SET_TMP_DH_CB:
2442 ctx->internal->cert->dhe_params_cb =
2443 (DH *(*)(SSL *, int, int))fp;
2444 return 1;
2445
2446 case SSL_CTRL_SET_TMP_ECDH_CB:
2447 return 1;
2448
2449 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2450 ctx->internal->tlsext_servername_callback =
2451 (int (*)(SSL *, int *, void *))fp;
2452 return 1;
2453
2454 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2455 *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb;
2456 return 1;
2457
2458 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2459 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2460 return 1;
2461
2462 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2463 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2464 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2465 return 1;
2466 }
2467
2468 return 0;
2469}
2470
2471SSL_CIPHER *
2472ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2473 STACK_OF(SSL_CIPHER) *srvr)
2474{
2475 unsigned long alg_k, alg_a, mask_k, mask_a;
2476 STACK_OF(SSL_CIPHER) *prio, *allow;
2477 SSL_CIPHER *c, *ret = NULL;
2478 int can_use_ecc;
2479 int i, ii, ok;
2480 SSL_CERT *cert;
2481
2482 /* Let's see which ciphers we can support */
2483 cert = s->cert;
2484
2485 can_use_ecc = (tls1_get_shared_curve(s) != NID_undef);
2486
2487 /*
2488 * Do not set the compare functions, because this may lead to a
2489 * reordering by "id". We want to keep the original ordering.
2490 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2491 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2492 */
2493
2494 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2495 prio = srvr;
2496 allow = clnt;
2497 } else {
2498 prio = clnt;
2499 allow = srvr;
2500 }
2501
2502 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2503 c = sk_SSL_CIPHER_value(prio, i);
2504
2505 /* Skip TLS v1.2 only ciphersuites if not supported. */
2506 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2507 !SSL_USE_TLS1_2_CIPHERS(s))
2508 continue;
2509
2510 /* Skip TLS v1.3 only ciphersuites if not supported. */
2511 if ((c->algorithm_ssl & SSL_TLSV1_3) &&
2512 !SSL_USE_TLS1_3_CIPHERS(s))
2513 continue;
2514
2515 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */
2516 if (SSL_USE_TLS1_3_CIPHERS(s) &&
2517 !(c->algorithm_ssl & SSL_TLSV1_3))
2518 continue;
2519
2520 ssl_set_cert_masks(cert, c);
2521 mask_k = cert->mask_k;
2522 mask_a = cert->mask_a;
2523
2524 alg_k = c->algorithm_mkey;
2525 alg_a = c->algorithm_auth;
2526
2527 ok = (alg_k & mask_k) && (alg_a & mask_a);
2528
2529 /*
2530 * If we are considering an ECC cipher suite that uses our
2531 * certificate check it.
2532 */
2533 if (alg_a & SSL_aECDSA)
2534 ok = ok && tls1_check_ec_server_key(s);
2535 /*
2536 * If we are considering an ECC cipher suite that uses
2537 * an ephemeral EC key check it.
2538 */
2539 if (alg_k & SSL_kECDHE)
2540 ok = ok && can_use_ecc;
2541
2542 if (!ok)
2543 continue;
2544 ii = sk_SSL_CIPHER_find(allow, c);
2545 if (ii >= 0) {
2546 ret = sk_SSL_CIPHER_value(allow, ii);
2547 break;
2548 }
2549 }
2550 return (ret);
2551}
2552
2553int
2554ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2555{
2556 unsigned long alg_k;
2557
2558 alg_k = s->s3->hs.cipher->algorithm_mkey;
2559
2560#ifndef OPENSSL_NO_GOST
2561 if ((alg_k & SSL_kGOST) != 0) {
2562 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2563 return 0;
2564 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2565 return 0;
2566 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2567 return 0;
2568 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT))
2569 return 0;
2570 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT))
2571 return 0;
2572 }
2573#endif
2574
2575 if ((alg_k & SSL_kDHE) != 0) {
2576 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2577 return 0;
2578 }
2579
2580 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2581 return 0;
2582
2583 /*
2584 * ECDSA certs can be used with RSA cipher suites as well
2585 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2586 */
2587 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
2588 return 0;
2589
2590 return 1;
2591}
2592
2593int
2594ssl3_shutdown(SSL *s)
2595{
2596 int ret;
2597
2598 /*
2599 * Don't do anything much if we have not done the handshake or
2600 * we don't want to send messages :-)
2601 */
2602 if ((s->internal->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) {
2603 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2604 return (1);
2605 }
2606
2607 if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) {
2608 s->internal->shutdown|=SSL_SENT_SHUTDOWN;
2609 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2610 /*
2611 * Our shutdown alert has been sent now, and if it still needs
2612 * to be written, s->s3->alert_dispatch will be true
2613 */
2614 if (s->s3->alert_dispatch)
2615 return (-1); /* return WANT_WRITE */
2616 } else if (s->s3->alert_dispatch) {
2617 /* resend it if not sent */
2618 ret = ssl3_dispatch_alert(s);
2619 if (ret == -1) {
2620 /*
2621 * We only get to return -1 here the 2nd/Nth
2622 * invocation, we must have already signalled
2623 * return 0 upon a previous invoation,
2624 * return WANT_WRITE
2625 */
2626 return (ret);
2627 }
2628 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2629 /* If we are waiting for a close from our peer, we are closed */
2630 s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
2631 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2632 return (-1); /* return WANT_READ */
2633 }
2634 }
2635
2636 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2637 !s->s3->alert_dispatch)
2638 return (1);
2639 else
2640 return (0);
2641}
2642
2643int
2644ssl3_write(SSL *s, const void *buf, int len)
2645{
2646 errno = 0;
2647
2648 if (s->s3->renegotiate)
2649 ssl3_renegotiate_check(s);
2650
2651 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
2652 buf, len);
2653}
2654
2655static int
2656ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2657{
2658 int ret;
2659
2660 errno = 0;
2661 if (s->s3->renegotiate)
2662 ssl3_renegotiate_check(s);
2663 s->s3->in_read_app_data = 1;
2664
2665 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
2666 peek);
2667 if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
2668 /*
2669 * ssl3_read_bytes decided to call s->internal->handshake_func,
2670 * which called ssl3_read_bytes to read handshake data.
2671 * However, ssl3_read_bytes actually found application data
2672 * and thinks that application data makes sense here; so disable
2673 * handshake processing and try to read application data again.
2674 */
2675 s->internal->in_handshake++;
2676 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA,
2677 buf, len, peek);
2678 s->internal->in_handshake--;
2679 } else
2680 s->s3->in_read_app_data = 0;
2681
2682 return (ret);
2683}
2684
2685int
2686ssl3_read(SSL *s, void *buf, int len)
2687{
2688 return ssl3_read_internal(s, buf, len, 0);
2689}
2690
2691int
2692ssl3_peek(SSL *s, void *buf, int len)
2693{
2694 return ssl3_read_internal(s, buf, len, 1);
2695}
2696
2697int
2698ssl3_renegotiate(SSL *s)
2699{
2700 if (s->internal->handshake_func == NULL)
2701 return 1;
2702
2703 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2704 return 0;
2705
2706 s->s3->renegotiate = 1;
2707
2708 return 1;
2709}
2710
2711int
2712ssl3_renegotiate_check(SSL *s)
2713{
2714 if (!s->s3->renegotiate)
2715 return 0;
2716 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0)
2717 return 0;
2718
2719 s->s3->hs.state = SSL_ST_RENEGOTIATE;
2720 s->s3->renegotiate = 0;
2721 s->s3->num_renegotiations++;
2722 s->s3->total_renegotiations++;
2723
2724 return 1;
2725}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-14 02:56:35 +0000